From owner-freebsd-questions  Sun Dec 23 23:44:26 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from mta3n.bluewin.ch (mta3n.bluewin.ch [195.186.1.212])
	by hub.freebsd.org (Postfix) with ESMTP id 9629337B419
	for <freebsd-questions@freebsd.org>; Sun, 23 Dec 2001 23:44:21 -0800 (PST)
Received: from saturn.spectraweb.ch (195.186.190.213) by mta3n.bluewin.ch (Bluewin AG 6.0.039)
        id 3C234FE80002659D for freebsd-questions@freebsd.org; Mon, 24 Dec 2001 08:43:44 +0100
Received: (from martin@localhost)
	by saturn.spectraweb.ch (8.11.6/8.11.6) id fBO8ps300345
	for freebsd-questions@freebsd.org; Mon, 24 Dec 2001 09:51:54 +0100 (CET)
	(envelope-from pcservi@spectraweb.ch)
Date: Mon, 24 Dec 2001 09:51:43 +0100
From: Martin Schweizer <pcservi@spectraweb.ch>
To: freebsd-questions@freebsd.org
Subject: Re: ipfw & ftp
Message-ID: <20011224095143.B318@spectraweb.ch>
Reply-To: Martin Schweizer <info@pc-service.ch>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
User-Agent: Mutt/1.2.5i
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Hello Darryl

I attached you my rc.firewall. I found a solution with passive and active ftp.

On Fri, Dec 21, 2001 at 02:05:10PM -0600 Darryl Hoar wrote:
> Greetings,
> I have setup a firewall/router.  My LAN has mostly
> win9x, winNt & win2000 clients on it.  Since I installed
> the firewall, users have been unable to download files
> from the internet that are on the vendors ftp site.  The
> firewall logs show nothing, but I'm assuming its related
> to the firewall.
> 
> How do I get around this problem safely?

-- 
Regards
Martin Schweizer
<info@pc-service.ch>

PC-Service M. Schweizer; Gewerbehaus Schwarz; CH-8608 Bubikon
Tel. +41 55 243 30 00; Fax: +41 55 243 33 22; http://www.pc-service.ch

# ipfw add allow all from 192.168.1.1/24 to any keep-state #Freigabe für das interne Netzwerk
# ipfw flush
# ipfw add allow all from any to any
# keep-state =  ermöglicht während einer bestimmten Zeit, die Kommunikation
#		zwischen Client und Server. Nach dieser Zeit (TTL), wird der
#		Port wieder geschlossen

# DNS (läuft nur über UDP)
ipfw add allow udp from me to any 53 keep-state
ipfw add allow udp from 192.168.1.1/24 to any 53 keep-state
# DHCP
ipfw add allow udp from 192.168.1.1/24 68 to 192.168.1.1/24 67 keep-state
ipfw add allow udp from me 67 to 192.168.1.1/24 68 keep-state
ipfw add allow udp from me 67 to 192.168.1.1/24 67 keep-state
ipfw add allow udp from 192.168.1.1/24 67 to me 67 keep-state
# SMTP
ipfw add allow tcp from me to any 25 keep-state
ipfw add allow udp from me to any 25 keep-state
ipfw add allow tcp from 192.168.1.1/24 to any 25 keep-state
ipfw add allow udp from 192.168.1.1/24 to any 25 keep-state
# POP3
ipfw add allow tcp from me to any 110 keep-state
ipfw add allow udp from me to any 110 keep-state
ipfw add allow tcp from 192.168.1.1/24 to any 110 keep-state
ipfw add allow udp from 192.168.1.1/24 to any 110 keep-state
# HTTP
ipfw add allow tcp from me to any 80 keep-state
ipfw add allow udp from me to any 80 keep-state
ipfw add allow tcp from 192.168.1.1/24 to any 80 keep-state
ipfw add allow udp from 192.168.1.1/24 to any 80 keep-state
# FTP
ipfw add allow tcp from any to any 20 keep-state
ipfw add allow tcp from any to any 21 keep-state
ipfw add allow tcp from any 20 to me 1024-49151 keep-state # aktives FTP
ipfw add allow tcp from any 20 to 192.168.1.1/24 1024-49151 keep-state
# ipfw add allow tcp from me 1024-49151 to any keep-state # passives FTP 1.
# ipfw add allow tcp from any 10224-49151 to me keep-state # passives FTP 2.
# SSH
ipfw add allow tcp from me to any 22 keep-state
ipfw add allow tcp from 192.168.1.1/24 to any 22 keep-state
# Telnet
ipfw add allow tcp from me to any 23 keep-state
ipfw add allow tcp from 192.168.1.1/24 to any 23 keep-state
ipfw add allow tcp from 192.168.1.1/24 to me keep-state
# Ping / TraceRoute
ipfw add allow icmp from me to any
ipfw add allow icmp from any to me
ipfw add allow icmp from 192.168.1.1/24 to any
ipfw add allow icmp from any to 192.168.1.1/24
# NetBIOS (Samba)
ipfw add allow 137 from me to 192.168.1.1/24 keep-state
ipfw add allow 137 from 192.168.1.1/24 to me keep-state
ipfw add allow 139 from me to 192.168.1.1/24 keep-state
ipfw add allow 139 from 192.168.1.1/24 ro me keep-state
# Whois
ipfw add allow tcp from me to any 63 keep-state
ipfw add allow udp from me to any 63 keep-state
ipfw add allow tcp from 192.168.1.1/24 to any 63 keep-state
ipfw add allow udp from 192.168.1.1/24 to any 63 keep-state
# Gopher
ipfw add allow tcp from me to any 70 keep-state
ipfw add allow udp from me to any 70 keep-state
ipfw add allow tcp from 192.168.1.1/24 to any 70 keep-state
ipfw add allow udp from 192.168.1.1/24 to any 70 keep-state
# Finger
ipfw add allow tcp from me to any 79 keep-state
ipfw add allow udp from me to any 79 keep-state
ipfw add allow tcp from 192.168.1.1/24 to any 79 keep-state
ipfw add allow udp from 192.168.1.1/24 to any 79 keep-state
# NNTP
ipfw add allow tcp from me to any 119 keep-state
ipfw add allow udp from me to any 119 keep-state
ipfw add allow tcp from 192.168.1.1/24 to any 119 keep-state
ipfw add allow udp from 192.168.1.1/24 to any 119 keep-state
# NTP
ipfw add allow tcp from me to any 123 keep-state
ipfw add allow udp from me to any 123 keep-state
ipfw add allow tcp from 192.168.1.1/24 to any 123 keep-state
ipfw add allow udp from 192.168.1.1/24 to any 123 keep-state
# CVSUP
ipfw add allow tcp from me to any 5999 keep-state
ipfw add allow tcp from 192.168.1.1/24 to any 5999 keep-state
# Mailverwaltung Swiss-Web
ipfw add allow tcp from me to any 88 keep-state
ipfw add allow tcp from 192.168.1.1/24 to any 88 keep-state


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message